IPMediumSignal 59/100

`104.152.52.235`

Location

United States

Chicago, Illinois

ASN

AS51088

Rethem Hosting LLC

First Seen

Sep 12, 2022

Last Seen

Jun 16, 2026

Sep 12

First Seen

1384d ago

Jun 16

Last Seen

11d ago

Reports

source reports

59%

Confidence

medium

Found in 27 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

59%

Signal Score

59 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

63 techniques

Network Information

Country

United States

RegionChicago, Illinois

ASNAS51088

OrganizationRethem Hosting LLC

IP Category

⟲

Proxy

Proxy server

Feed Intelligence Summary

27 reports59% confidence

Source reports

59%

Confidence score

Category tags

abuseabuseipdbaccount compromiseactive scanactive scanningaerospace & defenseasiaattackattacker ipsaustraliaauthenticationauthentication attemptsauthentication_failuresauto-generated securityautomated attacksautomated threatautomotive manufacturingbad reputationbad web botblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptsbrute-forcebruteforcecisco devicecisco exploitation attemptscivil servicescloud infrastructurecloud infrastructure attackcloud servicescommand and controlcommand injectioncommunication protocolcowriecowrie attackscowrie emulationcowrie honeypotcowrie ssh attackscredential accesscredential attackscredential brute forcecredential harvestingcredential stuffingcredential_stuffingdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase securityddosddos attackdecoy systemdefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdionaeadionaea attacksdionaea capturedionaea honeypotdionaea malware samplesdistributed attacksdnsdns attackelasticpot honeypotelasticsearch monitoringelectronics manufacturingencryptionenterprise networkingeuropeexploitexploit attemptexploit attemptsexploitationexploitation activityexploitation attemptexploited hostexternal access attemptsexternal threatfailed login attemptsfattfilefinlandfranceftpftp brute forceftp brute-forcegermanygovernment technologyhackinghoneynet connecthoneytrap datahoneytrap exploit attemptshoneytrap honeypothttp brute forcehttp scannerhttp scanninghttp/sidentity & access exploitationindicatorindustrial automationindustrial iotindustrial productioninfrastructure acquisitionreconnaissanceinitial accessinitial access vectorinjection activityinjection attacksinternet-scanningintrusion detectioniociot securityiot targetedipv4ipv4-scanningjapankfsensor honeypotlamplamp attacklamp exploitation attemptslamp server attacklamp stacklamp stack attacklamp stack targetinglateral movementlinux serverslinux systemslogin attemptlogin attemptslogin_attemptmailoney honeypotmalaysiamalicious activitymalicious activity detectedmalicious file transfermalicious softwaremalicious trafficmalwaremalware behaviourmalware capturemalware detectionmalware distributionmalware propagationmanualmanufacturing technologymass-scanningmilitary operationsmssqlmssql brute forcenational securitynetworknetwork attacksnetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork servicesnetwork traffic analysisnetwork_activitynextraynorth americaoceaniaopen proxyp0fp0f network fingerprintingpassword attackpassword attackspassword crackingpassword_guessingphishingphishing attackphishing trappolandportscanpossible malware distributionpossible mirai variantpre-attackprocess injectionprocess manufacturingprotocol exploitationproxypublic administrationpublic infrastructurepublic policyquality controlransomwarereconnaissanceregulatory agenciesremote accessremote loginremote servicesremote_accessresearchresearchedresource hijackingsansscannerscanner ipsscannersscanning activityscripting attackssecurity operationssensor-taggedsentrypeer botnetsentrypeer detectionserver exploitationservice scanservice scanningsftp access attemptsftp activitysftp attacksftp exploitationsingaporesip brute forcesip scanningsmb brute forcesmb scanningsmtpsmtp attackersmtp brute forcesocial engineeringsourcespamsql injectionsshssh attackssh monitoringssh-brutesupply chain attacksupply chain managementsuricata alertssynsystem accesst-pott1005t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1040t1041t1046t1055t1059t1059.001t1059.003t1059.004t1059.007t1068t1071t1071.001t1076t1077t1078t1078.004t1087t1110t1110.001t1110.002t1110.003t1110.004t1110: brute forcet1133t1189t1190t1195t1203t1204.002t1486t1496t1499.001t1499.002t1499.003t1505.002t1550.002t1563t1565t1566.001t1566.002t1566.003t1566.004t1572t1583t1587.001t1589t1590t1590.001t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003t1595: active scanningtannertargeting databasetcp protocoltcp scantcp/21tcp/23tcp/3306tcp/5900tcp/80telecommunicationstelnettelnet threatthreat actorthreat detectionthreat intelligencetor nodetpotudp port scanudp scanunattributed activityunauthorized accessunauthorized access attemptunited statesunited states of americausvnc protocolvoipvoip attackvulnerability scanvulnerability-scanningvultrweb app attackweb application attackweb application attacksweb application scanningweb attackweb exploitweb exploitationweb scannerweb shell detectionweb spamweb traffic

Activity Timeline

1 total obs

Jun 16Jun 16

Threat Activity Heatmap

· Peak: 2026-06-16

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

59%

Confidence

Reports

First seenSep 12, 2022

Last seenJun 16, 2026

GeolocationUS

CountryUnited States

LocationChicago, Illinois

ASNAS51088

OrgRethem Hosting LLC

Coords37.7510, -97.8220

Proxy

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw: NetRange: 104.152.52.0 - 104.152.55.255 CIDR: 104.152.52.0/22 NetName: RETHEM-HOSTING NetHandle: NET-104-152-52-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Rethem Hosting LLC (RHL-18) RegDate: 2014-07-11 Updated: 2014-07-11 Ref: https://rdap.arin.net/registry/ip/104.152.52.0 OrgName: Rethem Hosting LLC OrgId: RHL-18 Address: 500 N. Michigan Ave Address: Suite 300 City: Chicago StateProv: IL PostalCode: 60611 Country: US RegDate: 2011-03-16 Updated: 2012-05-25 Ref: https://rdap.arin.net/registry/entity/RHL-18 OrgNOCHandle: NOC11885-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-212-257-2998 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgTechHandle: NOC11885-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-212-257-2998 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN OrgAbuseHandle: NOC11885-ARIN OrgAbuseName: Network Operations Center OrgAbusePhone: +1-212-257-2998 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/NOC11885-ARIN
references: https://github.com/telekom-security/tpotce, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, https://github.com/borestad/blocklist-abuseipdb/blob/main/abuseipdb-s100-3d.ipv4

`104.152.52.235`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey